Data Protection Manager

GENERAL SUMMARY OF POSITION: 

Under the general direction of the University of Massachusetts Chan Medical School’s (UMass Chan) Associate CIO - Information Security Officer and UMass Chan’s Information Security and Compliance Manager, the Data Protection Manager (DPM) shall act as the individual responsible for the governanace and oversight of the proper management of all protected data primarily the security and privacy of protected health information under the Health Insurance Portability and Accountability Act (HIPAA), and including The Family Educational Rights and Privacy Act (FERPA), Federal Information Security Modernization Act (FISMA), Massachusetts Regulation 201 CMR 17.00: Standards for the protection of personal information of residents of the Commonwealth, and in compliance with NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. The DPM shall work within a team of highly skilled Information Security professionals and participate in security and compliance efforts across all facets of UMass Chan. The DPM will work closely with our Senior Privacy Officer to proactively address organizational requirements under HIPAA. The DPM shall liaise with departments and business units and provide direction to key contacts throughout the organization who are responsible for day-to-day application-level access control and authorization.  The DPM is responsible for understanding the business or academic model of respective UMass Chan units, as well as the relevant federal and state regulations and contractual requirements that impact UMass Chan business, academic and research units.  The DPM shall also manage an institutional-wide Data Protection Program to ensure that access to, and the management of data under UMass Chan’s stewardship complies with relevant security and privacy laws and regulations.

ESSENTIAL FUNCTIONS:

• Enhance and administer the UMass Chan Data Protection Program ensuring that access to data is appropriate and compliant with federal, state, and contractual requirements
• Provide direction to Data Security Administrators (DSA) as to their role within the Data Protection Program
• Serve as the management-level Information Security liaison with business units and academic and research departments for compliance-related requirements and questions
• Bring forward to the Office of Management privacy issues or concerns
• Communicate with and provide direction and oversight to/for business units and academic and research areas to ensure that access control processes are properly implemented in accordance with the information security and privacy practices of UMass Chan
• Assist business and academic areas in classifying data as defined by UMass Chan and University Board of Trustee policies
• Monitor business, research, and academic units to assess whether UMass Chan data are protected at the appropriate levels as defined by UMass Chan policies
• Monitor business units to assess the level of compliance with privacy and information security policies and standards and assist with necessary corrections
• Assist in defining and appropriately disseminating information to business, research, and academic areas
• Assist in incident assessment and remediation for business, research, and academic areas
• Coordinate with UMass Chan compliance and legal representatives to evaluate specific federal, state, contractual or individual reporting or notification requirements
• Participate in regular risk assessments throughout UMass Chan, and serve as primary management contact for information gathering, remediation, and tracking those activities
• Identify and implement procedural or technology enhancements to improve processes and enable efficiencies
• Provide management oversight of application access, role development and account recertification for business, academic and research applications
• Participate in appropriate committees, as requested, and facilitate the vetting of policies and procedures
• Assist in identifying business, academic, or research information security or privacy risk areas or vulnerabilities
• Maintain knowledge of HIPAA, FERPA, FISMA, NIST and other applicable regulations, and collaborate with UMass Chan compliance and legal representatives to identify and analyze updates to applicable regulatory requirements

REQUIRED QUALIFICATIONS:

• Bachelor’s Degree in Business Management, Compliance/Risk Management, Information Security or equivalent experience
• 7 years of progressive experience in working on privacy and security matters within an Information Technology, Information Security, Risk Management, Privacy or Compliance Department
• Experience in leading information security or privacy initiatives requiring direct communication with, and direction to, teams throughout an organization to ensure that requirements are identified and applied
• Experience in information security or privacy incidents and investigations with corresponding analysis and corrective actions/risk mitigations
• Knowledge of and experience with HIPAA requirements and their practical application, and all other relevant state and federal security and privacy standards and regulations
• Ability to collaborate with UMass Chan management, Information Technology, and business stakeholders to achieve objectives
• Ability to present to Management risk and compliance status
• Excellent oral and written communication skills

PREFERRED QUALIFICATIONS:

• Experience in a healthcare environment, higher education environment or research organization
• Knowledge of information security standards such as ISO/IEC 27000, NIST, FISMA, PCI, FERPA
• Security, Privacy and/or Healthcare Compliance Certifications: CHC, CHPC, CIPP, CISSP, CISA, CISM
• Ability to create and produce metrics based on key performance indicators (PKI’s)